Skip to content
/ pfsense_tailscale_certificates_renewal Public

Implementing Certificate Renewal for Tailscale and Other Foreign Certifications on pfSense

3 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

RotekHandelsGmbH/pfsense_tailscale_certificates_renewal

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
images
images
 
 
tailscale-cert
tailscale-cert
 
 
README.rst
README.rst
 
 

Repository files navigation

pfsense_tailscale_certificates_renewal

Shell scripts designed to install certificates that were not generated using pfSense's acme module.

While there are proposed solutions that involve directly editing the /conf/config.xml file with scripts, it is important to note that modifying the config.xml file directly is a delicate operation and should be approached with caution.

If you choose to install such scripts, be sure to create a backup of the /conf/config.xml file before making any changes.

Here, we install certificates from Tailscale, but you can customize these scripts for your specific application to import any other certificate. This process utilizes the acme-command.sh from the acme package, eliminating the need for direct manipulation of the config.xml file.

compatibility:
  • tested with pfSense 2.7.2 Release
skills You need to implement these scripts :
  • basic knowledge of the shell
  • some access via ssh to transfer files and issue commands
  • access to the firewalls web interface
prerequisites:
  • install and configure package tailscale on pfsense (if You want to use tailscale vpn)
  • enable https in the tailscale admin console
  • if You dont use tailscale, some method to copy your certificates to the firewall
preparation:
  • install package cron on pfsense
  • install package acme on pfsense
notes:
  • please note that pfsense needs <LF> line endings in sh scripts, <CR><LF> will not work.
step-by-step guide:
  • fill in the correct values in our config.sh
  • copy the files for instance to /usr/local/tailscale-cert. We suggest to use bitvise ssh client and sftp
  • enter the shell on pfsense, and get root by su
  • set permissions : chmod -R 0755 /usr/local/tailscale-cert
  • fetch certificates : /usr/local/tailscale-cert/renew_tailscale_certificates.sh
  • the lets encrypt root and intermediate certificate should be now visible in the web gui:
pfsense certificate authorities
  • create the entry for the certificate. the Descriptive name needs to match the setting in config.sh
  • the Certificate data is the certificate which can be extracted from the first block of the fullchain.pem
  • the Private key data is the private key
pfsense certificate create
  • select Your certificate for the webConfigurator:
pfsense certificate webConfigurator
  • restart the webConfigurator, either by the pfSense console, or by calling

/usr/local/tailscale-cert/renew_tailscale_certificates.sh again.

  • create a cron setting (see last line). You can even run it daily or weekly, since tailscale simply will deliver the same certificates if no renewal is due :
pfsense certificate cron job
further information and inspirations :

Changelog

v.1.0.0 release

About

Implementing Certificate Renewal for Tailscale and Other Foreign Certifications on pfSense

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 1

v2.7.2.0 Latest
Jan 16, 2024

Packages

No packages published

Languages